Cybersecurity Best Practices: Patch Management

In May 2017, the WannaCry ransomware cryptoworm wreaked havoc, infecting more than 200,000 computers in 150 countries and causing hundreds of millions of dollars in damages. The ransomware spread through the EternalBlue exploit, a program designed by the National Security Agency (NSA) to penetrate unpatched Windows-based systems through an SMB vulnerability. By the time WannaCry began spreading, Microsoft had already released a patch that neutralized the attack. However, many organizations did not install it in a timely manner, causing far greater damage than necessary.

Although not always so widespread or destructive, this scenario is all too common, largely due to unpatched vulnerabilities. In fact, the Poneman Institute estimates that nearly 60% of organizations that suffered a data breach in the past 2 years knew they had a vulnerability but hadn’t patched it yet.  Another survey by CA Veracode found that up to 70% of bugs remain unpatched 4 weeks after disclosure, and close to 55% are not resolved 3 months after discovery.

In many ways, patch management is like going around your house before bedtime, making sure all the doors and windows are locked. You’re looking for vulnerabilities, or attack surfaces, that allow adversaries into your system. Most of these vulnerabilities are disclosed and published online—along with references to the patches that fix them. In some cases, researchers have identified a vulnerability that, so far, has no patch, better known as zero-day vulnerabilities. These are good to know about, even if you can’t fix them immediately, as you can implement mitigation countermeasures and still be on the lookout for a patch once it’s available. The main priority though is to address vulnerabilities as soon as possible, so that you’re not rolling out a welcome mat for hackers looking to access and compromise your system.

This final installment of the cybersecurity best practices series dives into the importance of patch management and how to ensure the virtual doors and windows to your network are secure.

Risks of Leaving Cybersecurity Vulnerabilities Unpatched

Vulnerabilities create a foothold in your applications and network. They allow threat actors access to steal information or compromise your ability to perform key business functions. Since vulnerabilities are often disclosed and published online when they are discovered, malicious actors can quickly and easily develop exploits for them. Known vulnerabilities should be considered low-hanging fruit for cybercriminals, as they can cause massive amounts of financial loss and damage for businesses.

EternalBlue, for instance, was widely used to exploit Windows systems in 2017 to carry out 2 of the most prolific and destructive cyber events to date—the WannaCry ransomware attack and NotPetya cyberattack. Both attacks—carried out within months of one another—brought business operations to a screeching halt around the world by holding data hostage from healthcare organizations, educational institutions, government entities, industrial control centers, and more—and that’s not even half of it.

Furthermore, breaches are expensive, on average costing affected companies in the U.S. an average of $7.91 million per incident, according to a report by the IBM Security and the Ponemon Institute. A good patch management program isn’t free, but it will more than pay for itself in the money, time, customer data, and your company’s reputation you save by mitigating the likelihood of a cyberincident.

Best Practices of Patch Management

Fundamentally, patch management is a structured process for updating systems and software with new pieces of code. Often these patches fix vulnerabilities that may leave your system open to hackers, but sometimes they simply address problems in the programs you use, or add new functionalities to them. There are 2 important parts to a patch management process: asset management and change management.

Asset Management

Asset management—or a thorough review of your technology, systems, equipment, and connectivity—is the foundation for patch management. You can’t patch your system until you know what you have and where it is vulnerable.

Automated tools from Rapid7 and Tenable can streamline the process of identifying assets and vulnerabilities across your IT infrastructure. However, these tools need to be run regularly, if not constantly. They provide a snapshot of where your issues are right now—which can change rapidly. These tools also track trends in malware and other hacking mechanisms, so that you can stay ahead of ever-evolving criminal adversaries. In addition, they tie into your company’s risk assessment framework, identifying where you are vulnerable and how that may affect your business.

Change Management

Change management is a process for fixing known vulnerabilities while keeping all business units informed and minimizing the impact on your business and operations. Software updates can be disruptive, particularly if they conflict with existing IT assets and systems.

Ideally, you test patches on a small subset of systems to see how they work before you extend the fix to your entire system. As you see the results of these tests, you can make any necessary adjustments before performing a system-wide roll-out.

When patches are working properly, you can approve them through a change management workflow to document the changes and push them out to the rest of your infrastructure. And it’s a good idea to put your change management process on a regular schedule to ensure consistency and keep pace with ongoing vulnerability assessments and other business needs.

Best Practices – Order of Activities:

  • Asset management identifies your attack surface
  • Regular assessments keep up with emerging threats
  • Patch management process tracks trending vulnerabilities over time
  • Patches are implemented in a calculated and organized way

Don’t Suck at Patching

Setting up a systematic, disciplined process for identifying vulnerabilities, testing, and implementing patches may seem time-consuming and complicated but, done right, it will save you time and money in the end. A single breach can undo years of reputation-building, destroy customer relationships, and cost thousands, if not millions, of dollars. Defending your IT assets through rigorous patch management is far more cost-efficient than playing clean-up once a problem has occurred.

Remember that at the end of the day, cybersecurity professionals must be right 100% of the time. Whereas, attackers only have to be right once. Vulnerabilities are by and large the most prevalent way for attackers to get into your system, so a good patch management system plays an important role in closing the door on your criminal adversaries.

Throughout this series, we’ve discussed cybersecurity best practices to help equip your organization for success, but all good things must come to an end. If you feel you need assistance in any of the areas discussed through this series, contact us today and we’ll be glad to help assess your needs and secure your infrastructure.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals